HighBlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Desktop, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature triggers when the size of an HTTP request is greater than pam.http.request.limit and the HTTP server is known to be either Apache, Oracle or is unknown.
BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Desktop, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: This signature will trigger on any HTTP request data when it meets the specifications described by the algorithm.
This signature will trigger on any HTTP request when it meets the specifications described by the algorithm.
BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Desktop, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: If you customize the server type reported by your HTTP server, then this signature may not trigger in your environment.
High
BlackICE PC Protection: 3.6crf, RealSecure Server Sensor: XPU 28.120, RealSecure Network: XPU 28.120, Proventia-G 1.1 and earlier: XPU 28.120, Proventia Network MFS: XPU 28.120, Proventia Network IDS: XPU 28.120, IBM Security Server Protection for Windows: 2.1.14.2400, BlackICE Server Protection: 3.6.crf, IBM Security Server Protection for Windows: 1.0.914.2260, IBM Security Server Protection for Windows: 2.0.300.2260, Proventia Desktop: 2260, Proventia Network IPS: XPU 28.120, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.120
Oracle WebLogic Server: 6.0, Oracle WebLogic Server: 6.1 SP1, Oracle WebLogic Server: 6.1 SP2, Oracle WebLogic Server: 6.1, Oracle WebLogic Server: 7.0, Oracle WebLogic Server: 7.0.0.1, Oracle WebLogic Server: 5.1, Oracle WebLogic Server: 7.0 SP4, Oracle WebLogic Server: 7.0 SP5, Oracle WebLogic Server: 8.1, Oracle WebLogic Server: 8.1 SP1, Oracle WebLogic Server: 9.0, Oracle WebLogic Server: 7.0 SP6, Oracle WebLogic Server: 9.1, Oracle WebLogic Server: 8.1 SP6, Oracle WebLogic Server: 7.0 SP7, Oracle WebLogic Server: 10.0, Oracle WebLogic Server: 10.0 MP1, Oracle WebLogic Server: 3.1.8, Oracle WebLogic Server: 4.0, Oracle WebLogic Server: 4.0.4, Oracle WebLogic Server: 4.5, Oracle WebLogic Server: 4.5.1, Oracle WebLogic Server: 4.5.1 SP15, Oracle WebLogic Server: 4.5.2, Oracle WebLogic Server: 4.5.2 SP1, Oracle WebLogic Server: 4.5.2 SP2, Oracle WebLogic Server: 5.1 SP1, Oracle WebLogic Server: 5.1 SP10, Oracle WebLogic Server: 5.1 SP11, Oracle WebLogic Server: 5.1 SP12, Oracle WebLogic Server: 5.1 SP13, Oracle WebLogic Server: 5.1 SP2, Oracle WebLogic Server: 5.1 SP3, Oracle WebLogic Server: 5.1 SP4, Oracle WebLogic Server: 5.1 SP5, Oracle WebLogic Server: 5.1 SP6, Oracle WebLogic Server: 5.1 SP7, Oracle WebLogic Server: 5.1 SP8, Oracle WebLogic Server: 5.1 SP9, Oracle WebLogic Server: 6.1 SP3, Oracle WebLogic Server: 6.1 SP4, Oracle WebLogic Server: 6.1 SP5, Oracle WebLogic Server: 6.1 SP6, Oracle WebLogic Server: 6.1 SP7, Oracle WebLogic Server: 6.1 SP8, Oracle WebLogic Server: 7.0.0.1 SP1, Oracle WebLogic Server: 7.0.0.1 SP2, Oracle WebLogic Server: 7.0.0.1 SP3, Oracle WebLogic Server: 7.0.0.1 SP4, Oracle WebLogic Server: 8.1 SP2, Oracle WebLogic Server: 8.1 SP3, Oracle WebLogic Server: 8.1 SP4, Oracle WebLogic Server: 8.1 SP5, Oracle WebLogic Server: 9.1 GA, Oracle WebLogic Server: 9.2, Oracle WebLogic Server: 9.2 MP1, Oracle WebLogic Server: 9.2 MP2, Oracle WebLogic Server: 10.3, Oracle WebLogic Server: 6.0 SP6, Oracle WebLogic Server: 7.0 SP1, Oracle WebLogic Server: 7.0 SP2, Oracle WebLogic Server: 7.0 SP3, Oracle WebLogic Server: 9.0 GA, Oracle WebLogic Server: 9.0 SP1, Oracle WebLogic Server: 9.0 SP2, Oracle WebLogic Server: 9.0 SP3, Oracle WebLogic Server: 9.0 SP4, Oracle WebLogic Server: 9.0 SP5, BEA Apache Connector IN WebLogic Server, Oracle WebLogic Server: 6.0 SP1, Oracle WebLogic Server: 6.0 SP2
Unauthorized Access Attempt
Oracle WebLogic Server (formerly known as BEA WebLogic Server) is vulnerable to a buffer overflow, caused by improper bounds checking by the Apache Connector. By sending a specially-crafted HTTP POST request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.
Apply the appropriate patch for your system, as listed in BEA Security Advisory (CVE-2008-3257). See References.
BEA Web site
BEA WebLogic Server
http://www.bea.com/framework.jsp?CNT=index.htm&FP=/content/products/weblogic/server
milw0rm.com [2008-07-17]
Bea Weblogic Apache Connector Code Exec / Denial of Service Exploit
http://milw0rm.com/exploits/6089
BEA Security Advisory (CVE-2008-3257)
Security vulnerability in WebLogic plug-in for Apache
https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html
IBM Internet Security Systems Protection Alert - August 1, 2008
Oracle WebLogic Server Apache Connector Remote Code Execution
http://iss.net/threats/299.html
Oracle Security Alert for CVE-2008-3257
Alert_CVE-2008-3257
http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html
ISS X-Force
Oracle WebLogic Server Apache Connector buffer overflow
http://www.iss.net/security_center/static/43885.php
CVE
CVE-2008-3257
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3257